Professional Indemnity: Silent Cyber

Published 29 octubre 2021

The roll-out of the Lloyd’s mandate on silent cyber has impacted the professional indemnity market. The requirements of Lloyd’s Bulletin Y5277 mean that all policies must exclude or affirm cover for cyber risk. This has prompted a number of carriers in the Lloyd’s market and further afield, to reconsider their approach to cyber risk.

In addition to carriers, the mandates have also required regulators of professional service firms to consider their Minimum Terms and how they address cyber risk. The SRA, RICS and ICAEW have all undertaken a review, with distinct approaches in addressing cyber risk. Reference has been made by all to modern market clauses including the recent Professional Indemnity clause IUA 04-017. Our firm assisted in the drafting of this clause.

SRA

The SRA opened a consultation on adding a new clause to the MTCs that makes it clear that the consumer protection afforded by PII arrangements equally applies if the loss arises from a cyber event. The SRA’s response to the public consultation was published on 21 October 2021 confirming that the draft clause had been submitted to the Legal Services Board for approval. The SRA have clarified that “The cover is for client and third-party protection - losses to the law firm (first-party losses), except for certain costs of investigating and defending a claim, are not covered. Firms can choose to purchase a separate cyber policy for other risks.”

The SRA added that they will monitor the impact of the change and issues about the level of cover for cyber incidents as part of a wider review of PI insurance to be undertaken by the LSB.

RICS

RICS published its draft revised wording in February 2021 and stated that it had not proposed “any significant changes to the approach of implementing the cyber risks requirements outlined in the consultation”. In addition, RICS rejected claims raised in the consultation process that any clarification of cover would not automatically result in an increase in any premiums.

The RICS proposed MTCs address first and third party cyber risk with a broad brush approach. At face value, it may appear that the RICS MTCs are a reiteration of IUA 04-017 in its own language and split across multiple clauses. However, the application of the MTCs is narrower.

The RICS may have used the IUA clause as a basis, but there has been some diversion when adapting it to the language of the MTC. The MTCs do not comprehensively address all forms of loss associated with a cyber act or incident. For example, they exclude first-party costs in respect of malicious cyber attacks but do not address all other cyber related incidents.

There are also a number of write-backs that operate in a different manner to IUA04-017. Insurers will need to be careful to ensure that any wording aligns with the MTCs. Insurers wordings are unlikely to be compliant if they are substantially based on IUA04-017.

ICAEW

In April and May 2021, the ICA announced that it would continue its approach in the application of the IUA cyber exclusionary approach in respect of first-party losses only. In line with the SRA’s approach above, the ICA considered that cover for third party claims was integral for public policy. Specifically, if that loss arose from a cyber event.

This approach is evident in the MTCs which exclude first party losses only, remaining silent in respect of any third party risks.

Again, Insurers will need to ensure that any of their own amendments to policy wordings align with the distinct approach of the ICA.

Discussion

We do not consider it good practice to rely on difference in conditions clauses to ensure that policy wordings align with MTCs. Reasonable steps should be taken to try to align wordings from the outset. As indicated, adoption in primary policies of IUA 04-017 is unlikely to achieve compliance with MTCs in most cases.

If insurance policies are written, or co-insured, by Lloyd’s syndicates, it is a compliance requirement to specify or exclude cyber cover. We consider it important to address all principal components of cyber risk, including cyber acts, cyber incidents and data privacy liability.

Finally, where policies are amended to reflect the changes in MTCs or comply with Lloyd’s bulletins, we recommend that insurers review their reinsurance protections to ensure that they align where this is intended.